As far as authorization goes, I've noticed that I get prompted for a user-name/password only once during a session. After you've been validated, it appears zope does not prompt you again for that browser session. The reason I'm concerned is that if I have to do maintenance on someone else's web browser, how do I ensure that after I leave a person cannot use the back button or history list to gain manager access to the site? Do I have to exit the browser when I'm done?
Yes! and the same goes for most other web-based security models. ----- Original Message ----- From: <Daniel.Weber@SEMATECH.Org> To: <zope@zope.org> Sent: 17 March 2000 22:26 Subject: [Zope] Security question
As far as authorization goes, I've noticed that I get prompted for a user-name/password only once during a session. After you've been validated, it appears zope does not prompt you again for that browser session.
The reason I'm concerned is that if I have to do maintenance on someone else's web browser, how do I ensure that after I leave a person cannot use the back button or history list to gain manager access to the site? Do I have to exit the browser when I'm done?
_______________________________________________ Zope maillist - Zope@zope.org http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
Daniel.Weber@SEMATECH.Org wrote:
As far as authorization goes, I've noticed that I get prompted for a user-name/password only once during a session. After you've been validated, it appears zope does not prompt you again for that browser session.
Actually Zope does prompt your client on every single request (that requires authorization), it must, because HTTP is stateless. Zope also validates every single request. This is a 'feature' of the HTTP Basic Authentication spec that says browsers can cache auth information. It is however often a lack that browsers do not let you manually clear this cache.
The reason I'm concerned is that if I have to do maintenance on someone else's web browser, how do I ensure that after I leave a person cannot use the back button or history list to gain manager access to the site? Do I have to exit the browser when I'm done?
Yes. Or force the client to discard it's cached auth info with a <dtml-raise Unauthorized></dtml-raise>. -Michel
On Fri, 17 Mar 2000 Daniel.Weber@sematech.org wrote:
The reason I'm concerned is that if I have to do maintenance on someone else's web browser, how do I ensure that after I leave a person cannot use the back button or history list to gain manager access to the site? Do I have to exit the browser when I'm done?
Yes. Assuming that you're using basic HTTP authentication, restarting the browser will clear everything out. -Tim -- Tim Wilson | Visit Sibley online: | Check out: Henry Sibley HS | http://www.isd197.k12.mn.us/ | http://www.zope.org/ W. St. Paul, MN | | http://slashdot.org/ wilson@visi.com | <dtml-var pithy_quote> | http://linux.com/
participants (4)
-
Daniel.Weber@SEMATECH.Org -
Michel Pelletier -
Phil Harris -
Timothy Wilson